policy.c revision 1.21
1/* $OpenBSD: policy.c,v 1.21 2001/01/27 12:03:34 niklas Exp $ */ 2/* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ 3 4/* 5 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. 6 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. All advertising materials mentioning features or use of this software 17 * must display the following acknowledgement: 18 * This product includes software developed by Ericsson Radio Systems. 19 * 4. The name of the author may not be used to endorse or promote products 20 * derived from this software without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34/* 35 * This code was written under funding by Ericsson Radio Systems. 36 */ 37 38#include <sys/types.h> 39#include <sys/param.h> 40#include <sys/mman.h> 41#include <sys/queue.h> 42#include <sys/stat.h> 43#include <regex.h> 44#include <ctype.h> 45#include <fcntl.h> 46#include <stdio.h> 47#include <stdlib.h> 48#include <string.h> 49#include <unistd.h> 50#include <keynote.h> 51#include <sys/socket.h> 52#include <netinet/in.h> 53#include <arpa/inet.h> 54#include <errno.h> 55#include <openssl/ssl.h> 56 57#include "sysdep.h" 58 59#include "app.h" 60#include "conf.h" 61#include "connection.h" 62#include "cookie.h" 63#include "doi.h" 64#include "dyn.h" 65#include "exchange.h" 66#include "init.h" 67#include "ipsec.h" 68#include "isakmp_doi.h" 69#include "math_group.h" 70#include "sa.h" 71#include "timer.h" 72#include "transport.h" 73#include "udp.h" 74#include "log.h" 75#include "message.h" 76#include "ui.h" 77#include "util.h" 78#include "policy.h" 79#include "x509.h" 80 81#if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE) && 0 82 83void *libkeynote = 0; 84 85/* 86 * These prototypes matches OpenBSD keynote.h 1.6. If you use 87 * a different version than that, you are on your own. 88 */ 89int *lk_keynote_errno; 90int (*lk_kn_add_action) (int, char *, char *, int); 91int (*lk_kn_add_assertion) (int, char *, int, int); 92int (*lk_kn_add_authorizer) (int, char *); 93int (*lk_kn_close) (int); 94int (*lk_kn_do_query) (int, char **, int); 95char *(*lk_kn_encode_key) (struct keynote_deckey *, int, int, int); 96int (*lk_kn_init) (void); 97char **(*lk_kn_read_asserts) (char *, int, int *); 98int (*lk_kn_remove_authorizer) (int, char *); 99int (*lk_kn_get_authorizer) (int, int, int *); 100void (*lk_kn_free_key) (struct keynote_deckey *); 101struct keynote_keylist *(*lk_kn_get_licensees) (int, int); 102#define SYMENTRY(x) { SYM, SYM (x), (void **)&lk_ ## x } 103 104static struct dynload_script libkeynote_script[] = { 105 { LOAD, "libc.so", &libkeynote }, 106 { LOAD, "libcrypto.so", &libkeynote }, 107 { LOAD, "libm.so", &libkeynote }, 108 { LOAD, "libkeynote.so", &libkeynote }, 109 SYMENTRY (keynote_errno), 110 SYMENTRY (kn_add_action), 111 SYMENTRY (kn_add_assertion), 112 SYMENTRY (kn_add_authorizer), 113 SYMENTRY (kn_close), 114 SYMENTRY (kn_do_query), 115 SYMENTRY (kn_encode_key), 116 SYMENTRY (kn_init), 117 SYMENTRY (kn_read_asserts), 118 SYMENTRY (kn_remove_authorizer), 119 SYMENTRY (kn_get_licensees), 120 SYMENTRY (kn_get_authorizer), 121 { EOS } 122}; 123#endif 124 125int keynote_sessid = -1; 126char **keynote_policy_asserts = NULL; 127int keynote_policy_asserts_num = 0; 128char **x509_policy_asserts = NULL; 129int x509_policy_asserts_num = 0; 130int x509_policy_asserts_num_alloc = 0; 131struct exchange *policy_exchange = 0; 132struct sa *policy_sa = 0; 133struct sa *policy_isakmp_sa = 0; 134 135/* 136 * Adaptation of Vixie's inet_ntop4 () 137 */ 138static const char * 139my_inet_ntop4 (const in_addr_t *src, char *dst, size_t size, int normalize) 140{ 141 static const char fmt[] = "%03u.%03u.%03u.%03u"; 142 char tmp[sizeof "255.255.255.255"]; 143 in_addr_t src2; 144 145 if (normalize) 146 src2 = ntohl (*src); 147 else 148 src2 = *src; 149 150 if (sprintf (tmp, fmt, ((u_int8_t *) &src2)[0], ((u_int8_t *) &src2)[1], 151 ((u_int8_t *) &src2)[2], ((u_int8_t *) &src2)[3]) > size) 152 { 153 errno = ENOSPC; 154 return 0; 155 } 156 strcpy (dst, tmp); 157 return dst; 158} 159 160char * 161policy_callback (char *name) 162{ 163 struct proto *proto; 164 165 u_int8_t *attr, *value, *id, *idlocal, *idremote; 166 size_t id_sz, idlocalsz, idremotesz; 167 struct sockaddr_in *sin; 168 struct ipsec_exch *ie; 169 struct ipsec_sa *is; 170 int fmt, lifetype = 0; 171 in_addr_t net, subnet; 172 u_int16_t len, type; 173 time_t tt; 174 static char mytimeofday[15]; 175 176 /* We use all these as a cache. */ 177 static char *esp_present, *ah_present, *comp_present; 178 static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg; 179 static char *comp_alg, ah_life_kbytes[32], ah_life_seconds[32]; 180 static char esp_life_kbytes[32], esp_life_seconds[32], comp_life_kbytes[32]; 181 static char comp_life_seconds[32], *ah_encapsulation, *esp_encapsulation; 182 static char *comp_encapsulation, ah_key_length[32], esp_key_length[32]; 183 static char ah_key_rounds[32], esp_key_rounds[32], comp_dict_size[32]; 184 static char comp_private_alg[32], *remote_filter_type, *local_filter_type; 185 static char remote_filter_addr_upper[64], remote_filter_addr_lower[64]; 186 static char local_filter_addr_upper[64], local_filter_addr_lower[64]; 187 static char ah_group_desc[32], esp_group_desc[32], comp_group_desc[32]; 188 static char remote_ike_address[64], local_ike_address[64]; 189 static char *remote_id_type, remote_id_addr_upper[64], *phase_1; 190 static char remote_id_addr_lower[64], *remote_id_proto, remote_id_port[32]; 191 static char remote_filter_port[32], local_filter_port[32]; 192 static char *remote_filter_proto, *local_filter_proto, *pfs, *initiator; 193 static char remote_filter_proto_num[3], local_filter_proto_num[3]; 194 static char remote_id_proto_num[3]; 195 static char phase1_group[32]; 196 197 /* Allocated. */ 198 static char *remote_filter = 0, *local_filter = 0, *remote_id = 0; 199 200 static int dirty = 1; 201 202 /* We only need to set dirty at initialization time really. */ 203 if (strcmp (name, KEYNOTE_CALLBACK_CLEANUP) == 0 204 || strcmp (name, KEYNOTE_CALLBACK_INITIALIZE) == 0) 205 { 206 esp_present = ah_present = comp_present = pfs = "no"; 207 ah_hash_alg = ah_auth_alg = phase_1 = ""; 208 esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; 209 esp_encapsulation = comp_encapsulation = remote_filter_type = ""; 210 local_filter_type = remote_id_type = initiator = ""; 211 remote_filter_proto = local_filter_proto = remote_id_proto = ""; 212 213 if (remote_filter != 0) 214 { 215 free (remote_filter); 216 remote_filter = 0; 217 } 218 219 if (local_filter != 0) 220 { 221 free (local_filter); 222 local_filter = 0; 223 } 224 225 if (remote_id != 0) 226 { 227 free (remote_id); 228 remote_id = 0; 229 } 230 231 memset (remote_ike_address, 0, sizeof remote_ike_address); 232 memset (local_ike_address, 0, sizeof local_ike_address); 233 memset (ah_life_kbytes, 0, sizeof ah_life_kbytes); 234 memset (ah_life_seconds, 0, sizeof ah_life_seconds); 235 memset (esp_life_kbytes, 0, sizeof esp_life_kbytes); 236 memset (esp_life_seconds, 0, sizeof esp_life_seconds); 237 memset (comp_life_kbytes, 0, sizeof comp_life_kbytes); 238 memset (comp_life_seconds, 0, sizeof comp_life_seconds); 239 memset (ah_key_length, 0, sizeof ah_key_length); 240 memset (ah_key_rounds, 0, sizeof ah_key_rounds); 241 memset (esp_key_length, 0, sizeof esp_key_length); 242 memset (esp_key_rounds, 0, sizeof esp_key_rounds); 243 memset (comp_dict_size, 0, sizeof comp_dict_size); 244 memset (comp_private_alg, 0, sizeof comp_private_alg); 245 memset (remote_filter_addr_upper, 0, sizeof remote_filter_addr_upper); 246 memset (remote_filter_addr_lower, 0, sizeof remote_filter_addr_lower); 247 memset (local_filter_addr_upper, 0, sizeof local_filter_addr_upper); 248 memset (local_filter_addr_lower, 0, sizeof local_filter_addr_lower); 249 memset (remote_id_addr_upper, 0, sizeof remote_id_addr_upper); 250 memset (remote_id_addr_lower, 0, sizeof remote_id_addr_lower); 251 memset (ah_group_desc, 0, sizeof ah_group_desc); 252 memset (esp_group_desc, 0, sizeof esp_group_desc); 253 memset (remote_id_port, 0, sizeof remote_id_port); 254 memset (remote_filter_port, 0, sizeof remote_filter_port); 255 memset (local_filter_port, 0, sizeof local_filter_port); 256 memset (phase1_group, 0, sizeof phase1_group); 257 258 dirty = 1; 259 return ""; 260 } 261 262 /* 263 * If dirty is set, this is the first request for an attribute, so 264 * populate our value cache. 265 */ 266 if (dirty) 267 { 268 ie = policy_exchange->data; 269 270 if (ie->pfs) 271 pfs = "yes"; 272 273 is = policy_isakmp_sa->data; 274 sprintf (phase1_group, "%u", is->group_desc); 275 276 for (proto = TAILQ_FIRST (&policy_sa->protos); proto; 277 proto = TAILQ_NEXT (proto, link)) 278 { 279 switch (proto->proto) 280 { 281 case IPSEC_PROTO_IPSEC_AH: 282 ah_present = "yes"; 283 switch (proto->id) 284 { 285 case IPSEC_AH_MD5: 286 ah_hash_alg = "md5"; 287 break; 288 289 case IPSEC_AH_SHA: 290 ah_hash_alg = "sha"; 291 break; 292 293 case IPSEC_AH_RIPEMD: 294 ah_hash_alg = "ripemd"; 295 break; 296 297 case IPSEC_AH_DES: 298 ah_hash_alg = "des"; 299 break; 300 } 301 302 break; 303 304 case IPSEC_PROTO_IPSEC_ESP: 305 esp_present = "yes"; 306 switch (proto->id) 307 { 308 case IPSEC_ESP_DES_IV64: 309 esp_enc_alg = "des-iv64"; 310 break; 311 312 case IPSEC_ESP_DES: 313 esp_enc_alg = "des"; 314 break; 315 316 case IPSEC_ESP_3DES: 317 esp_enc_alg = "3des"; 318 break; 319 320 case IPSEC_ESP_AES: 321 esp_enc_alg = "aes"; 322 break; 323 324 case IPSEC_ESP_RC5: 325 esp_enc_alg = "rc5"; 326 break; 327 328 case IPSEC_ESP_IDEA: 329 esp_enc_alg = "idea"; 330 break; 331 332 case IPSEC_ESP_CAST: 333 esp_enc_alg = "cast"; 334 break; 335 336 case IPSEC_ESP_BLOWFISH: 337 esp_enc_alg = "blowfish"; 338 break; 339 340 case IPSEC_ESP_3IDEA: 341 esp_enc_alg = "3idea"; 342 break; 343 344 case IPSEC_ESP_DES_IV32: 345 esp_enc_alg = "des-iv32"; 346 break; 347 348 case IPSEC_ESP_RC4: 349 esp_enc_alg = "rc4"; 350 break; 351 352 case IPSEC_ESP_NULL: 353 esp_enc_alg = "null"; 354 break; 355 } 356 357 break; 358 359 case IPSEC_PROTO_IPCOMP: 360 comp_present = "yes"; 361 switch (proto->id) 362 { 363 case IPSEC_IPCOMP_OUI: 364 comp_alg = "oui"; 365 break; 366 367 case IPSEC_IPCOMP_DEFLATE: 368 comp_alg = "deflate"; 369 break; 370 371 case IPSEC_IPCOMP_LZS: 372 comp_alg = "lzs"; 373 break; 374 375 case IPSEC_IPCOMP_V42BIS: 376 comp_alg = "v42bis"; 377 break; 378 } 379 380 break; 381 } 382 383 for (attr = proto->chosen->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF; 384 attr 385 < proto->chosen->p + GET_ISAKMP_GEN_LENGTH (proto->chosen->p); 386 attr = value + len) 387 { 388 if (attr + ISAKMP_ATTR_VALUE_OFF 389 > (proto->chosen->p 390 + GET_ISAKMP_GEN_LENGTH (proto->chosen->p))) 391 return ""; 392 393 type = GET_ISAKMP_ATTR_TYPE (attr); 394 fmt = ISAKMP_ATTR_FORMAT (type); 395 type = ISAKMP_ATTR_TYPE (type); 396 value = attr + (fmt ? ISAKMP_ATTR_LENGTH_VALUE_OFF : 397 ISAKMP_ATTR_VALUE_OFF); 398 len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : 399 GET_ISAKMP_ATTR_LENGTH_VALUE (attr)); 400 401 if (value + len > proto->chosen->p + 402 GET_ISAKMP_GEN_LENGTH (proto->chosen->p)) 403 return ""; 404 405 switch (type) 406 { 407 case IPSEC_ATTR_SA_LIFE_TYPE: 408 lifetype = decode_16 (value); 409 break; 410 411 case IPSEC_ATTR_SA_LIFE_DURATION: 412 switch (proto->proto) 413 { 414 case IPSEC_PROTO_IPSEC_AH: 415 if (lifetype == IPSEC_DURATION_SECONDS) 416 { 417 if (len == 2) 418 sprintf (ah_life_seconds, "%u", 419 decode_16 (value)); 420 else 421 sprintf (ah_life_seconds, "%u", 422 decode_32 (value)); 423 } 424 else 425 { 426 if (len == 2) 427 sprintf (ah_life_kbytes, "%u", 428 decode_16 (value)); 429 else 430 sprintf (ah_life_kbytes, "%u", 431 decode_32 (value)); 432 } 433 434 break; 435 436 case IPSEC_PROTO_IPSEC_ESP: 437 if (lifetype == IPSEC_DURATION_SECONDS) 438 { 439 if (len == 2) 440 sprintf (esp_life_seconds, "%u", 441 decode_16 (value)); 442 else 443 sprintf (esp_life_seconds, "%u", 444 decode_32 (value)); 445 } 446 else 447 { 448 if (len == 2) 449 sprintf (esp_life_kbytes, "%u", 450 decode_16 (value)); 451 else 452 sprintf (esp_life_kbytes, "%u", 453 decode_32 (value)); 454 } 455 456 break; 457 458 case IPSEC_PROTO_IPCOMP: 459 if (lifetype == IPSEC_DURATION_SECONDS) 460 { 461 if (len == 2) 462 sprintf (comp_life_seconds, "%u", 463 decode_16 (value)); 464 else 465 sprintf (comp_life_seconds, "%u", 466 decode_32 (value)); 467 } 468 else 469 { 470 if (len == 2) 471 sprintf (comp_life_kbytes, "%u", 472 decode_16 (value)); 473 else 474 sprintf (comp_life_kbytes, "%u", 475 decode_32 (value)); 476 } 477 478 break; 479 } 480 break; 481 482 case IPSEC_ATTR_GROUP_DESCRIPTION: 483 switch (proto->proto) 484 { 485 case IPSEC_PROTO_IPSEC_AH: 486 sprintf (ah_group_desc, "%u", decode_16 (value)); 487 break; 488 489 case IPSEC_PROTO_IPSEC_ESP: 490 sprintf (esp_group_desc, "%u", 491 decode_16 (value)); 492 break; 493 494 case IPSEC_PROTO_IPCOMP: 495 sprintf (comp_group_desc, "%u", 496 decode_16 (value)); 497 break; 498 } 499 break; 500 501 case IPSEC_ATTR_ENCAPSULATION_MODE: 502 if (decode_16 (value) == IPSEC_ENCAP_TUNNEL) 503 switch (proto->proto) 504 { 505 case IPSEC_PROTO_IPSEC_AH: 506 ah_encapsulation = "tunnel"; 507 break; 508 509 case IPSEC_PROTO_IPSEC_ESP: 510 esp_encapsulation = "tunnel"; 511 break; 512 513 case IPSEC_PROTO_IPCOMP: 514 comp_encapsulation = "tunnel"; 515 break; 516 } 517 else 518 switch (proto->proto) 519 { 520 case IPSEC_PROTO_IPSEC_AH: 521 ah_encapsulation = "transport"; 522 break; 523 524 case IPSEC_PROTO_IPSEC_ESP: 525 esp_encapsulation = "transport"; 526 break; 527 528 case IPSEC_PROTO_IPCOMP: 529 comp_encapsulation = "transport"; 530 break; 531 } 532 break; 533 534 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: 535 switch (proto->proto) 536 { 537 case IPSEC_PROTO_IPSEC_AH: 538 switch (decode_16 (value)) 539 { 540 case IPSEC_AUTH_HMAC_MD5: 541 ah_auth_alg = "hmac-md5"; 542 break; 543 544 case IPSEC_AUTH_HMAC_SHA: 545 ah_auth_alg = "hmac-sha"; 546 break; 547 548 case IPSEC_AUTH_HMAC_RIPEMD: 549 ah_auth_alg = "hmac-ripemd"; 550 break; 551 552 case IPSEC_AUTH_DES_MAC: 553 ah_auth_alg = "des-mac"; 554 break; 555 556 case IPSEC_AUTH_KPDK: 557 ah_auth_alg = "kpdk"; 558 break; 559 } 560 break; 561 562 case IPSEC_PROTO_IPSEC_ESP: 563 switch (decode_16 (value)) 564 { 565 case IPSEC_AUTH_HMAC_MD5: 566 esp_auth_alg = "hmac-md5"; 567 break; 568 569 case IPSEC_AUTH_HMAC_SHA: 570 esp_auth_alg = "hmac-sha"; 571 break; 572 573 case IPSEC_AUTH_HMAC_RIPEMD: 574 esp_auth_alg = "hmac-ripemd"; 575 break; 576 577 case IPSEC_AUTH_DES_MAC: 578 esp_auth_alg = "des-mac"; 579 break; 580 581 case IPSEC_AUTH_KPDK: 582 esp_auth_alg = "kpdk"; 583 break; 584 } 585 break; 586 } 587 break; 588 589 case IPSEC_ATTR_KEY_LENGTH: 590 switch (proto->proto) 591 { 592 case IPSEC_PROTO_IPSEC_AH: 593 sprintf (ah_key_length, "%u", decode_16 (value)); 594 break; 595 596 case IPSEC_PROTO_IPSEC_ESP: 597 sprintf (esp_key_length, "%u", 598 decode_16 (value)); 599 break; 600 } 601 break; 602 603 case IPSEC_ATTR_KEY_ROUNDS: 604 switch (proto->proto) 605 { 606 case IPSEC_PROTO_IPSEC_AH: 607 sprintf (ah_key_rounds, "%u", decode_16 (value)); 608 break; 609 610 case IPSEC_PROTO_IPSEC_ESP: 611 sprintf (esp_key_rounds, "%u", 612 decode_16 (value)); 613 break; 614 } 615 break; 616 617 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: 618 sprintf (comp_dict_size, "%u", decode_16 (value)); 619 break; 620 621 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: 622 sprintf (comp_private_alg, "%u", decode_16 (value)); 623 break; 624 } 625 } 626 } 627 628 /* XXX IPv4-specific. */ 629 policy_sa->transport->vtbl->get_src (policy_sa->transport, 630 (struct sockaddr **) &sin, &fmt); 631 my_inet_ntop4 (&(sin->sin_addr.s_addr), local_ike_address, 632 sizeof local_ike_address - 1, 0); 633 634 policy_sa->transport->vtbl->get_dst (policy_sa->transport, 635 (struct sockaddr **) &sin, &fmt); 636 my_inet_ntop4 (&(sin->sin_addr.s_addr), remote_ike_address, 637 sizeof remote_ike_address - 1, 0); 638 639 switch (policy_isakmp_sa->exch_type) 640 { 641 case ISAKMP_EXCH_AGGRESSIVE: 642 phase_1 = "aggressive"; 643 break; 644 645 case ISAKMP_EXCH_ID_PROT: 646 phase_1 = "main"; 647 break; 648 } 649 650 if (policy_isakmp_sa->initiator) 651 { 652 id = policy_isakmp_sa->id_r; 653 id_sz = policy_isakmp_sa->id_r_len; 654 } 655 else 656 { 657 id = policy_isakmp_sa->id_i; 658 id_sz = policy_isakmp_sa->id_i_len; 659 } 660 661 switch (id[0]) 662 { 663 case IPSEC_ID_IPV4_ADDR: 664 remote_id_type = "IPv4 address"; 665 666 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 667 my_inet_ntop4 (&net, remote_id_addr_upper, 668 sizeof remote_id_addr_upper - 1, 1); 669 my_inet_ntop4 (&net, remote_id_addr_lower, 670 sizeof remote_id_addr_lower - 1, 1); 671 remote_id = strdup (remote_id_addr_upper); 672 if (!remote_id) 673 { 674 log_print ("policy_callback: strdup (\"%s\") failed", 675 remote_id_addr_upper); 676 goto bad; 677 } 678 break; 679 680 case IPSEC_ID_IPV4_RANGE: 681 remote_id_type = "IPv4 range"; 682 683 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 684 my_inet_ntop4 (&net, remote_id_addr_lower, 685 sizeof remote_id_addr_lower - 1, 1); 686 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 687 my_inet_ntop4 (&net, remote_id_addr_upper, 688 sizeof remote_id_addr_upper - 1, 1); 689 remote_id = calloc (strlen (remote_id_addr_upper) 690 + strlen (remote_id_addr_lower) + 2, 691 sizeof (char)); 692 if (!remote_id) 693 { 694 log_print ("policy_callback: calloc (%d, %d) failed", 695 strlen (remote_id_addr_upper) 696 + strlen (remote_id_addr_lower) + 2, 697 sizeof (char)); 698 goto bad; 699 } 700 701 strcpy (remote_id, remote_id_addr_lower); 702 remote_id[strlen (remote_id_addr_lower)] = '-'; 703 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 704 remote_id_addr_upper); 705 break; 706 707 case IPSEC_ID_IPV4_ADDR_SUBNET: 708 remote_id_type = "IPv4 subnet"; 709 710 net = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); 711 subnet = decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 4); 712 net &= subnet; 713 my_inet_ntop4 (&net, remote_id_addr_lower, 714 sizeof remote_id_addr_lower - 1, 1); 715 net |= ~subnet; 716 my_inet_ntop4 (&net, remote_id_addr_upper, 717 sizeof remote_id_addr_upper - 1, 1); 718 remote_id = calloc (strlen (remote_id_addr_upper) 719 + strlen (remote_id_addr_lower) + 2, 720 sizeof (char)); 721 if (!remote_id) 722 { 723 log_print ("policy_callback: calloc (%d, %d) failed", 724 strlen (remote_id_addr_upper) 725 + strlen (remote_id_addr_lower) + 2, 726 sizeof (char)); 727 goto bad; 728 } 729 730 strcpy (remote_id, remote_id_addr_lower); 731 remote_id[strlen (remote_id_addr_lower)] = '-'; 732 strcpy (remote_id + strlen (remote_id_addr_lower) + 1, 733 remote_id_addr_upper); 734 break; 735 736 case IPSEC_ID_IPV6_ADDR: 737 /* XXX Not yet implemented. */ 738 remote_id_type = "IPv6 address"; 739 break; 740 741 case IPSEC_ID_IPV6_RANGE: 742 /* XXX Not yet implemented. */ 743 remote_id_type = "IPv6 range"; 744 break; 745 746 case IPSEC_ID_IPV6_ADDR_SUBNET: 747 /* XXX Not yet implemented. */ 748 remote_id_type = "IPv6 address"; 749 break; 750 751 case IPSEC_ID_FQDN: 752 remote_id_type = "FQDN"; 753 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 754 sizeof (char)); 755 if (!remote_id) 756 { 757 log_print ("policy_callback: calloc (%d, %d) failed", 758 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 759 sizeof (char)); 760 goto bad; 761 } 762 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 763 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 764 break; 765 766 case IPSEC_ID_USER_FQDN: 767 remote_id_type = "User FQDN"; 768 remote_id = calloc (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 769 sizeof (char)); 770 if (!remote_id) 771 { 772 log_print ("policy_callback: calloc (%d, %d) failed", 773 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1, 774 sizeof (char)); 775 goto bad; 776 } 777 memcpy (remote_id, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, 778 id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); 779 break; 780 781 case IPSEC_ID_DER_ASN1_DN: /* XXX -- not sure what's in this. */ 782 remote_id_type = "ASN1 DN"; 783 break; 784 785 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 786 remote_id_type = "ASN1 GN"; 787 break; 788 789 case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this. */ 790 remote_id_type = "Key ID"; 791 break; 792 793 default: 794 log_print ("policy_callback: unknown remote ID type %u", id[0]); 795 goto bad; 796 } 797 798 switch (id[1]) 799 { 800 case IPPROTO_TCP: 801 remote_id_proto = "tcp"; 802 break; 803 804 case IPPROTO_UDP: 805 remote_id_proto = "udp"; 806 break; 807 808#ifdef IPPROTO_ETHERIP 809 case IPPROTO_ETHERIP: 810 remote_id_proto = "etherip"; 811 break; 812#endif 813 814 default: 815 sprintf (remote_id_proto_num, "%2d", id[1]); 816 remote_id_proto = remote_id_proto_num; 817 break; 818 } 819 820 snprintf (remote_id_port, sizeof remote_id_port - 1, "%u", 821 decode_16 (id + 2)); 822 823 if (policy_exchange->initiator) 824 { 825 initiator = "yes"; 826 idlocal = ie->id_ci; 827 idremote = ie->id_cr; 828 idlocalsz = ie->id_ci_sz; 829 idremotesz = ie->id_cr_sz; 830 } 831 else 832 { 833 initiator = "no"; 834 idlocal = ie->id_cr; 835 idremote = ie->id_ci; 836 idlocalsz = ie->id_cr_sz; 837 idremotesz = ie->id_ci_sz; 838 } 839 840 /* Initialize the ID variables. */ 841 if (idremote) 842 { 843 switch (GET_ISAKMP_ID_TYPE (idremote)) 844 { 845 case IPSEC_ID_IPV4_ADDR: 846 remote_filter_type = "IPv4 address"; 847 848 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 849 my_inet_ntop4 (&net, remote_filter_addr_upper, 850 sizeof remote_filter_addr_upper - 1, 1); 851 my_inet_ntop4 (&net, remote_filter_addr_lower, 852 sizeof (remote_filter_addr_lower) - 1, 1); 853 remote_filter = strdup (remote_filter_addr_upper); 854 if (!remote_filter) 855 { 856 log_print ("policy_callback: strdup (\"%s\") failed", 857 remote_filter_addr_upper); 858 goto bad; 859 } 860 break; 861 862 case IPSEC_ID_IPV4_RANGE: 863 remote_filter_type = "IPv4 range"; 864 865 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 866 my_inet_ntop4 (&net, remote_filter_addr_lower, 867 sizeof remote_filter_addr_lower - 1, 1); 868 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 869 my_inet_ntop4 (&net, remote_filter_addr_upper, 870 sizeof remote_filter_addr_upper - 1, 1); 871 remote_filter = calloc (strlen (remote_filter_addr_upper) 872 + strlen (remote_filter_addr_lower) + 2, 873 sizeof (char)); 874 if (!remote_filter) 875 { 876 log_print ("policy_callback: calloc (%d, %d) failed", 877 strlen (remote_filter_addr_upper) 878 + strlen (remote_filter_addr_lower) + 2, 879 sizeof (char)); 880 goto bad; 881 } 882 strcpy (remote_filter, remote_filter_addr_lower); 883 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 884 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 885 remote_filter_addr_upper); 886 break; 887 888 case IPSEC_ID_IPV4_ADDR_SUBNET: 889 remote_filter_type = "IPv4 subnet"; 890 891 net = decode_32 (idremote + ISAKMP_ID_DATA_OFF); 892 subnet = decode_32 (idremote + ISAKMP_ID_DATA_OFF + 4); 893 net &= subnet; 894 my_inet_ntop4 (&net, remote_filter_addr_lower, 895 sizeof remote_filter_addr_lower - 1, 1); 896 net |= ~subnet; 897 my_inet_ntop4 (&net, remote_filter_addr_upper, 898 sizeof remote_filter_addr_upper - 1, 1); 899 remote_filter = calloc (strlen (remote_filter_addr_upper) 900 + strlen (remote_filter_addr_lower) + 2, 901 sizeof (char)); 902 if (!remote_filter) 903 { 904 log_print ("policy_callback: calloc (%d, %d) failed", 905 strlen (remote_filter_addr_upper) 906 + strlen (remote_filter_addr_lower) + 2, 907 sizeof (char)); 908 goto bad; 909 } 910 strcpy (remote_filter, remote_filter_addr_lower); 911 remote_filter[strlen (remote_filter_addr_lower)] = '-'; 912 strcpy (remote_filter + strlen (remote_filter_addr_lower) + 1, 913 remote_filter_addr_upper); 914 break; 915 916 case IPSEC_ID_IPV6_ADDR: 917 /* XXX Not yet implemented. */ 918 remote_filter_type = "IPv6 address"; 919 break; 920 921 case IPSEC_ID_IPV6_RANGE: 922 /* XXX Not yet implemented. */ 923 remote_filter_type = "IPv6 range"; 924 break; 925 926 case IPSEC_ID_IPV6_ADDR_SUBNET: 927 /* XXX Not yet implemented. */ 928 remote_filter_type = "IPv6 address"; 929 break; 930 931 case IPSEC_ID_FQDN: 932 remote_filter_type = "FQDN"; 933 remote_filter = calloc (idremotesz - ISAKMP_ID_DATA_OFF + 1, 934 sizeof (char)); 935 if (!remote_filter) 936 { 937 log_print ("policy_callback: calloc (%d, %d) failed", 938 idremotesz - ISAKMP_ID_DATA_OFF + 1, 939 sizeof (char)); 940 goto bad; 941 } 942 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 943 idremotesz); 944 break; 945 946 case IPSEC_ID_USER_FQDN: 947 remote_filter_type = "User FQDN"; 948 remote_filter = calloc (idremotesz - ISAKMP_ID_DATA_OFF + 1, 949 sizeof (char)); 950 if (!remote_filter) 951 { 952 log_print ("policy_callback: calloc (%d, %d) failed", 953 idremotesz - ISAKMP_ID_DATA_OFF + 1, 954 sizeof (char)); 955 goto bad; 956 } 957 memcpy (remote_filter, idremote + ISAKMP_ID_DATA_OFF, 958 idremotesz); 959 break; 960 961 case IPSEC_ID_DER_ASN1_DN: /* XXX -- not sure what's in this. */ 962 remote_filter_type = "ASN1 DN"; 963 break; 964 965 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 966 remote_filter_type = "ASN1 GN"; 967 break; 968 969 case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this. */ 970 remote_filter_type = "Key ID"; 971 break; 972 973 default: 974 log_print ("policy_callback: unknown Remote ID type %u", 975 GET_ISAKMP_ID_TYPE (idremote)); 976 goto bad; 977 } 978 979 switch (idremote[ISAKMP_GEN_SZ + 1]) 980 { 981 case IPPROTO_TCP: 982 remote_filter_proto = "tcp"; 983 break; 984 985 case IPPROTO_UDP: 986 remote_filter_proto = "udp"; 987 break; 988 989#ifdef IPPROTO_ETHERIP 990 case IPPROTO_ETHERIP: 991 remote_filter_proto = "etherip"; 992 break; 993#endif 994 995 default: 996 sprintf (remote_filter_proto_num, "%2d", idremote[ISAKMP_GEN_SZ + 1]); 997 remote_filter_proto = remote_filter_proto_num; 998 break; 999 } 1000 1001 snprintf (remote_filter_port, sizeof remote_filter_port - 1, 1002 "%u", decode_16 (idremote + ISAKMP_GEN_SZ + 2)); 1003 } 1004 else 1005 { 1006 policy_sa->transport->vtbl->get_dst (policy_sa->transport, 1007 (struct sockaddr **) &sin, 1008 &fmt); 1009 remote_filter_type = "IPv4 address"; 1010 1011 my_inet_ntop4 (&(sin->sin_addr.s_addr), remote_filter_addr_upper, 1012 sizeof remote_filter_addr_upper - 1, 0); 1013 my_inet_ntop4 (&(sin->sin_addr.s_addr), remote_filter_addr_lower, 1014 sizeof remote_filter_addr_lower - 1, 0); 1015 remote_filter = strdup (remote_filter_addr_upper); 1016 if (!remote_filter) 1017 { 1018 log_print ("policy_callback: strdup (\"%s\") failed", 1019 remote_filter_addr_upper); 1020 goto bad; 1021 } 1022 } 1023 1024 if (idlocal) 1025 { 1026 switch (GET_ISAKMP_ID_TYPE (idlocal)) 1027 { 1028 case IPSEC_ID_IPV4_ADDR: 1029 local_filter_type = "IPv4 address"; 1030 1031 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1032 my_inet_ntop4 (&net, local_filter_addr_upper, 1033 sizeof local_filter_addr_upper - 1, 1); 1034 my_inet_ntop4 (&net, local_filter_addr_lower, 1035 sizeof local_filter_addr_upper - 1, 1); 1036 local_filter = strdup (local_filter_addr_upper); 1037 if (!local_filter) 1038 { 1039 log_print ("policy_callback: strdup (\"%s\") failed", 1040 local_filter_addr_upper); 1041 goto bad; 1042 } 1043 break; 1044 1045 case IPSEC_ID_IPV4_RANGE: 1046 local_filter_type = "IPv4 range"; 1047 1048 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1049 my_inet_ntop4 (&net, local_filter_addr_lower, 1050 sizeof local_filter_addr_lower - 1, 1); 1051 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1052 my_inet_ntop4 (&net, local_filter_addr_upper, 1053 sizeof local_filter_addr_upper - 1, 1); 1054 local_filter = calloc (strlen (local_filter_addr_upper) 1055 + strlen (local_filter_addr_lower) + 2, 1056 sizeof (char)); 1057 if (!local_filter) 1058 { 1059 log_print ("policy_callback: calloc (%d, %d) failed", 1060 strlen (local_filter_addr_upper) 1061 + strlen (local_filter_addr_lower) + 2, 1062 sizeof (char)); 1063 goto bad; 1064 } 1065 strcpy (local_filter, local_filter_addr_lower); 1066 local_filter[strlen (local_filter_addr_lower)] = '-'; 1067 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1068 local_filter_addr_upper); 1069 break; 1070 1071 case IPSEC_ID_IPV4_ADDR_SUBNET: 1072 local_filter_type = "IPv4 subnet"; 1073 1074 net = decode_32 (idlocal + ISAKMP_ID_DATA_OFF); 1075 subnet = decode_32 (idlocal + ISAKMP_ID_DATA_OFF + 4); 1076 net &= subnet; 1077 my_inet_ntop4 (&net, local_filter_addr_lower, 1078 sizeof local_filter_addr_lower - 1, 1); 1079 net |= ~subnet; 1080 my_inet_ntop4 (&net, local_filter_addr_upper, 1081 sizeof local_filter_addr_upper - 1, 1); 1082 local_filter = calloc (strlen (local_filter_addr_upper) 1083 + strlen (local_filter_addr_lower) + 2, 1084 sizeof (char)); 1085 if (!local_filter) 1086 { 1087 log_print ("policy_callback: calloc (%d, %d) failed", 1088 strlen (local_filter_addr_upper) 1089 + strlen (local_filter_addr_lower) + 2, 1090 sizeof (char)); 1091 goto bad; 1092 } 1093 strcpy (local_filter, local_filter_addr_lower); 1094 local_filter[strlen (local_filter_addr_lower)] = '-'; 1095 strcpy (local_filter + strlen (local_filter_addr_lower) + 1, 1096 local_filter_addr_upper); 1097 break; 1098 1099 case IPSEC_ID_IPV6_ADDR: 1100 /* XXX Not yet implemented. */ 1101 local_filter_type = "IPv6 address"; 1102 break; 1103 1104 case IPSEC_ID_IPV6_RANGE: 1105 /* XXX Not yet implemented. */ 1106 local_filter_type = "IPv6 range"; 1107 break; 1108 1109 case IPSEC_ID_IPV6_ADDR_SUBNET: 1110 /* XXX Not yet implemented. */ 1111 local_filter_type = "IPv6 address"; 1112 break; 1113 1114 case IPSEC_ID_FQDN: 1115 local_filter_type = "FQDN"; 1116 local_filter = calloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1117 sizeof (char)); 1118 if (!local_filter) 1119 { 1120 log_print ("policy_callback: calloc (%d, %d) failed", 1121 idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1122 sizeof (char)); 1123 goto bad; 1124 } 1125 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1126 idlocalsz); 1127 break; 1128 1129 case IPSEC_ID_USER_FQDN: 1130 local_filter_type = "User FQDN"; 1131 local_filter = calloc (idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1132 sizeof (char)); 1133 if (!local_filter) 1134 { 1135 log_print ("policy_callback: calloc (%d, %d) failed", 1136 idlocalsz - ISAKMP_ID_DATA_OFF + 1, 1137 sizeof (char)); 1138 goto bad; 1139 } 1140 memcpy (local_filter, idlocal + ISAKMP_ID_DATA_OFF, 1141 idlocalsz); 1142 break; 1143 1144 case IPSEC_ID_DER_ASN1_DN: /* XXX -- not sure what's in this. */ 1145 local_filter_type = "ASN1 DN"; 1146 break; 1147 1148 case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure what's in this. */ 1149 local_filter_type = "ASN1 GN"; 1150 break; 1151 1152 case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this. */ 1153 local_filter_type = "Key ID"; 1154 break; 1155 1156 default: 1157 log_print ("policy_callback: unknown Local ID type %u", 1158 GET_ISAKMP_ID_TYPE (idlocal)); 1159 goto bad; 1160 } 1161 1162 switch (idlocal[ISAKMP_GEN_SZ + 1]) 1163 { 1164 case IPPROTO_TCP: 1165 local_filter_proto = "tcp"; 1166 break; 1167 1168 case IPPROTO_UDP: 1169 local_filter_proto = "udp"; 1170 break; 1171 1172#ifdef IPPROTO_ETHERIP 1173 case IPPROTO_ETHERIP: 1174 local_filter_proto = "etherip"; 1175 break; 1176#endif 1177 1178 default: 1179 sprintf (local_filter_proto_num, "%2d", idlocal[ISAKMP_GEN_SZ + 1]); 1180 local_filter_proto = local_filter_proto_num; 1181 break; 1182 } 1183 1184 snprintf (local_filter_port, sizeof local_filter_port - 1, 1185 "%u", decode_16 (idlocal + ISAKMP_GEN_SZ + 2)); 1186 } 1187 else 1188 { 1189 policy_sa->transport->vtbl->get_src (policy_sa->transport, 1190 (struct sockaddr **) &sin, 1191 &fmt); 1192 1193 local_filter_type = "IPv4 address"; 1194 1195 my_inet_ntop4 (&(sin->sin_addr.s_addr), local_filter_addr_upper, 1196 sizeof local_filter_addr_upper - 1, 0); 1197 my_inet_ntop4 (&(sin->sin_addr.s_addr), local_filter_addr_lower, 1198 sizeof local_filter_addr_lower - 1, 0); 1199 local_filter = strdup (local_filter_addr_upper); 1200 if (!local_filter) 1201 { 1202 log_print ("policy_callback: strdup (\"%s\") failed", 1203 local_filter_addr_upper); 1204 goto bad; 1205 } 1206 } 1207 1208 LOG_DBG ((LOG_SA, 80, "Policy context (action attributes):")); 1209 LOG_DBG ((LOG_SA, 80, "esp_present == %s", esp_present)); 1210 LOG_DBG ((LOG_SA, 80, "ah_present == %s", ah_present)); 1211 LOG_DBG ((LOG_SA, 80, "comp_present == %s", comp_present)); 1212 LOG_DBG ((LOG_SA, 80, "ah_hash_alg == %s", ah_hash_alg)); 1213 LOG_DBG ((LOG_SA, 80, "esp_enc_alg == %s", esp_enc_alg)); 1214 LOG_DBG ((LOG_SA, 80, "comp_alg == %s", comp_alg)); 1215 LOG_DBG ((LOG_SA, 80, "ah_auth_alg == %s", ah_auth_alg)); 1216 LOG_DBG ((LOG_SA, 80, "esp_auth_alg == %s", esp_auth_alg)); 1217 LOG_DBG ((LOG_SA, 80, "ah_life_seconds == %s", ah_life_seconds)); 1218 LOG_DBG ((LOG_SA, 80, "ah_life_kbytes == %s", ah_life_kbytes)); 1219 LOG_DBG ((LOG_SA, 80, "esp_life_seconds == %s", esp_life_seconds)); 1220 LOG_DBG ((LOG_SA, 80, "esp_life_kbytes == %s", esp_life_kbytes)); 1221 LOG_DBG ((LOG_SA, 80, "comp_life_seconds == %s", comp_life_seconds)); 1222 LOG_DBG ((LOG_SA, 80, "comp_life_kbytes == %s", comp_life_kbytes)); 1223 LOG_DBG ((LOG_SA, 80, "ah_encapsulation == %s", ah_encapsulation)); 1224 LOG_DBG ((LOG_SA, 80, "esp_encapsulation == %s", esp_encapsulation)); 1225 LOG_DBG ((LOG_SA, 80, "comp_encapsulation == %s", comp_encapsulation)); 1226 LOG_DBG ((LOG_SA, 80, "comp_dict_size == %s", comp_dict_size)); 1227 LOG_DBG ((LOG_SA, 80, "comp_private_alg == %s", comp_private_alg)); 1228 LOG_DBG ((LOG_SA, 80, "ah_key_length == %s", ah_key_length)); 1229 LOG_DBG ((LOG_SA, 80, "ah_key_rounds == %s", ah_key_rounds)); 1230 LOG_DBG ((LOG_SA, 80, "esp_key_length == %s", esp_key_length)); 1231 LOG_DBG ((LOG_SA, 80, "esp_key_rounds == %s", esp_key_rounds)); 1232 LOG_DBG ((LOG_SA, 80, "ah_group_desc == %s", ah_group_desc)); 1233 LOG_DBG ((LOG_SA, 80, "esp_group_desc == %s", esp_group_desc)); 1234 LOG_DBG ((LOG_SA, 80, "comp_group_desc == %s", comp_group_desc)); 1235 LOG_DBG ((LOG_SA, 80, "remote_filter_type == %s", remote_filter_type)); 1236 LOG_DBG ((LOG_SA, 80, "remote_filter_addr_upper == %s", 1237 remote_filter_addr_upper)); 1238 LOG_DBG ((LOG_SA, 80, "remote_filter_addr_lower == %s", 1239 remote_filter_addr_lower)); 1240 LOG_DBG ((LOG_SA, 80, "remote_filter == %s", 1241 (remote_filter ? remote_filter : ""))); 1242 LOG_DBG ((LOG_SA, 80, "remote_filter_port == %s", remote_filter_port)); 1243 LOG_DBG ((LOG_SA, 80, "remote_filter_proto == %s", remote_filter_proto)); 1244 LOG_DBG ((LOG_SA, 80, "local_filter_type == %s", local_filter_type)); 1245 LOG_DBG ((LOG_SA, 80, "local_filter_addr_upper == %s", 1246 local_filter_addr_upper)); 1247 LOG_DBG ((LOG_SA, 80, "local_filter_addr_lower == %s", 1248 local_filter_addr_lower)); 1249 LOG_DBG ((LOG_SA, 80, "local_filter == %s", 1250 (local_filter ? local_filter : ""))); 1251 LOG_DBG ((LOG_SA, 80, "local_filter_port == %s", local_filter_port)); 1252 LOG_DBG ((LOG_SA, 80, "local_filter_proto == %s", local_filter_proto)); 1253 LOG_DBG ((LOG_SA, 80, "remote_id_type == %s", remote_id_type)); 1254 LOG_DBG ((LOG_SA, 80, "remote_id_addr_upper == %s", 1255 remote_id_addr_upper)); 1256 LOG_DBG ((LOG_SA, 80, "remote_id_addr_lower == %s", 1257 remote_id_addr_lower)); 1258 LOG_DBG ((LOG_SA, 80, "remote_id == %s", (remote_id ? remote_id : ""))); 1259 LOG_DBG ((LOG_SA, 80, "remote_id_port == %s", remote_id_port)); 1260 LOG_DBG ((LOG_SA, 80, "remote_id_proto == %s", remote_id_proto)); 1261 LOG_DBG ((LOG_SA, 80, "remote_negotiation_address == %s", 1262 remote_ike_address)); 1263 LOG_DBG ((LOG_SA, 80, "local_negotiation_address == %s", 1264 local_ike_address)); 1265 LOG_DBG ((LOG_SA, 80, "pfs == %s", pfs)); 1266 LOG_DBG ((LOG_SA, 80, "initiator == %s", initiator)); 1267 LOG_DBG ((LOG_SA, 80, "phase1_group_desc == %s", phase1_group)); 1268 1269 /* Unset dirty now. */ 1270 dirty = 0; 1271 } 1272 1273 if (strcmp (name, "phase_1") == 0) 1274 return phase_1; 1275 1276 if (strcmp (name, "GMTTimeOfDay") == 0) 1277 { 1278 tt = time ((time_t) NULL); 1279 strftime (mytimeofday, 14, "%G%m%d%H%M%S", gmtime (&tt)); 1280 return mytimeofday; 1281 } 1282 1283 if (strcmp (name, "LocalTimeOfDay") == 0) 1284 { 1285 tt = time ((time_t) NULL); 1286 strftime (mytimeofday, 14, "%G%m%d%H%M%S", localtime (&tt)); 1287 return mytimeofday; 1288 } 1289 1290 if (strcmp (name, "initiator") == 0) 1291 return initiator; 1292 1293 if (strcmp (name, "pfs") == 0) 1294 return pfs; 1295 1296 if (strcmp (name, "app_domain") == 0) 1297 return "IPsec policy"; 1298 1299 if (strcmp (name, "doi") == 0) 1300 return "ipsec"; 1301 1302 if (strcmp (name, "esp_present") == 0) 1303 return esp_present; 1304 1305 if (strcmp (name, "ah_present") == 0) 1306 return ah_present; 1307 1308 if (strcmp (name, "comp_present") == 0) 1309 return comp_present; 1310 1311 if (strcmp (name, "ah_hash_alg") == 0) 1312 return ah_hash_alg; 1313 1314 if (strcmp (name, "ah_auth_alg") == 0) 1315 return ah_auth_alg; 1316 1317 if (strcmp (name, "esp_auth_alg") == 0) 1318 return esp_auth_alg; 1319 1320 if (strcmp (name, "esp_enc_alg") == 0) 1321 return esp_enc_alg; 1322 1323 if (strcmp (name, "comp_alg") == 0) 1324 return comp_alg; 1325 1326 if (strcmp (name, "ah_life_kbytes") == 0) 1327 return ah_life_kbytes; 1328 1329 if (strcmp (name, "ah_life_seconds") == 0) 1330 return ah_life_seconds; 1331 1332 if (strcmp (name, "esp_life_kbytes") == 0) 1333 return esp_life_kbytes; 1334 1335 if (strcmp (name, "esp_life_seconds") == 0) 1336 return esp_life_seconds; 1337 1338 if (strcmp (name, "comp_life_kbytes") == 0) 1339 return comp_life_kbytes; 1340 1341 if (strcmp (name, "comp_life_seconds") == 0) 1342 return comp_life_seconds; 1343 1344 if (strcmp (name, "ah_encapsulation") == 0) 1345 return ah_encapsulation; 1346 1347 if (strcmp (name, "esp_encapsulation") == 0) 1348 return esp_encapsulation; 1349 1350 if (strcmp (name, "comp_encapsulation") == 0) 1351 return comp_encapsulation; 1352 1353 if (strcmp (name, "ah_key_length") == 0) 1354 return ah_key_length; 1355 1356 if (strcmp (name, "ah_key_rounds") == 0) 1357 return ah_key_rounds; 1358 1359 if (strcmp (name, "esp_key_length") == 0) 1360 return esp_key_length; 1361 1362 if (strcmp (name, "esp_key_rounds") == 0) 1363 return esp_key_rounds; 1364 1365 if (strcmp (name, "comp_dict_size") == 0) 1366 return comp_dict_size; 1367 1368 if (strcmp (name, "comp_private_alg") == 0) 1369 return comp_private_alg; 1370 1371 if (strcmp (name, "remote_filter_type") == 0) 1372 return remote_filter_type; 1373 1374 if (strcmp (name, "remote_filter") == 0) 1375 return (remote_filter ? remote_filter : ""); 1376 1377 if (strcmp (name, "remote_filter_addr_upper") == 0) 1378 return remote_filter_addr_upper; 1379 1380 if (strcmp (name, "remote_filter_addr_lower") == 0) 1381 return remote_filter_addr_lower; 1382 1383 if (strcmp (name, "remote_filter_port") == 0) 1384 return remote_filter_port; 1385 1386 if (strcmp (name, "remote_filter_proto") == 0) 1387 return remote_filter_proto; 1388 1389 if (strcmp (name, "local_filter_type") == 0) 1390 return local_filter_type; 1391 1392 if (strcmp (name, "local_filter") == 0) 1393 return (local_filter ? local_filter : ""); 1394 1395 if (strcmp (name, "local_filter_addr_upper") == 0) 1396 return local_filter_addr_upper; 1397 1398 if (strcmp (name, "local_filter_addr_lower") == 0) 1399 return local_filter_addr_lower; 1400 1401 if (strcmp (name, "local_filter_port") == 0) 1402 return local_filter_port; 1403 1404 if (strcmp (name, "local_filter_proto") == 0) 1405 return local_filter_proto; 1406 1407 if (strcmp (name, "remote_ike_address") == 0) 1408 return remote_ike_address; 1409 1410 if (strcmp (name, "remote_negotiation_address") == 0) 1411 return remote_ike_address; 1412 1413 if (strcmp (name, "local_ike_address") == 0) 1414 return local_ike_address; 1415 1416 if (strcmp (name, "local_negotiation_address") == 0) 1417 return local_ike_address; 1418 1419 if (strcmp (name, "remote_id_type") == 0) 1420 return remote_id_type; 1421 1422 if (strcmp (name, "remote_id") == 0) 1423 return (remote_id ? remote_id : ""); 1424 1425 if (strcmp (name, "remote_id_addr_upper") == 0) 1426 return remote_id_addr_upper; 1427 1428 if (strcmp (name, "remote_id_addr_lower") == 0) 1429 return remote_id_addr_lower; 1430 1431 if (strcmp (name, "remote_id_port") == 0) 1432 return remote_id_port; 1433 1434 if (strcmp (name, "remote_id_proto") == 0) 1435 return remote_id_proto; 1436 1437 if (strcmp (name, "phase1_group_desc") == 0) 1438 return phase1_group; 1439 1440 return ""; 1441 1442 bad: 1443 policy_callback (KEYNOTE_CALLBACK_INITIALIZE); 1444 return ""; 1445} 1446 1447void 1448policy_init (void) 1449{ 1450 char *ptr, *policy_file; 1451 char **asserts; 1452 struct stat st; 1453 int fd, len, i; 1454 1455 LOG_DBG ((LOG_MISC, 50, "policy_init: initializing")); 1456 1457#if defined (HAVE_DLOPEN) && !defined (USE_KEYNOTE) 1458 if (!dyn_load (libkeynote_script)) 1459 return; 1460#endif 1461 1462 /* If there exists a session already, release all its resources. */ 1463 if (keynote_sessid != -1) 1464 LK (kn_close, (keynote_sessid)); 1465 1466 /* Initialize a session. */ 1467 keynote_sessid = LK (kn_init, ()); 1468 if (keynote_sessid == -1) 1469 log_fatal ("policy_init: kn_init () failed"); 1470 1471 /* Get policy file from configuration. */ 1472 policy_file = conf_get_str ("General", "policy-file"); 1473 if (!policy_file) 1474 policy_file = POLICY_FILE_DEFAULT; 1475 1476 /* Open policy file. */ 1477 fd = open (policy_file, O_RDONLY); 1478 if (fd == -1) 1479 log_fatal ("policy_init: open (\"%s\", O_RDONLY) failed", policy_file); 1480 1481 /* Get size. */ 1482 if (fstat (fd, &st) == -1) 1483 log_fatal ("policy_init: fstat (%d, &st) failed", fd); 1484 1485 /* Allocate memory to keep policies. */ 1486 ptr = calloc (st.st_size + 1, sizeof (char)); 1487 if (!ptr) 1488 log_fatal ("policy_init: calloc (%d, %d) failed", st.st_size, 1489 sizeof (char)); 1490 1491 /* Just in case there are short reads... */ 1492 for (len = 0; len < st.st_size; len += i) 1493 { 1494 i = read (fd, ptr + len, st.st_size - len); 1495 if (i == -1) 1496 log_fatal ("policy_init: read (%d, %p, %d) failed", fd, ptr + len, 1497 st.st_size - len); 1498 } 1499 1500 /* We're done with this. */ 1501 close (fd); 1502 1503 /* Parse buffer, break up into individual policies. */ 1504 asserts = LK (kn_read_asserts, (ptr, st.st_size, &i)); 1505 1506 /* Begone! */ 1507 free (ptr); 1508 1509 /* Add each individual policy in the session. */ 1510 for (fd = 0; fd < i; fd++) 1511 { 1512 if (LK (kn_add_assertion, (keynote_sessid, asserts[fd], 1513 strlen (asserts[fd]), ASSERT_FLAG_LOCAL)) 1514 == -1) 1515 log_print ("policy_init: " 1516 "kn_add_assertion (%d, %p, %d, ASSERT_FLAG_LOCAL) failed", 1517 keynote_sessid, asserts[fd], strlen (asserts[fd])); 1518 } 1519 1520 /* Cleanup */ 1521 if (keynote_policy_asserts) 1522 { 1523 for (fd = 0; fd < keynote_policy_asserts_num; fd++) 1524 if (keynote_policy_asserts && keynote_policy_asserts[fd]) 1525 free (keynote_policy_asserts[fd]); 1526 1527 free (keynote_policy_asserts); 1528 } 1529 1530 keynote_policy_asserts = asserts; 1531 keynote_policy_asserts_num = i; 1532} 1533 1534/* Nothing needed for initialization */ 1535int 1536keynote_cert_init (void) 1537{ 1538 return 1; 1539} 1540 1541/* Just copy and return */ 1542void * 1543keynote_cert_get (u_int8_t *data, u_int32_t len) 1544{ 1545 char *foo = calloc (len + 1, sizeof(char)); 1546 1547 if (foo == NULL) 1548 return NULL; 1549 1550 memcpy (foo, data, len); 1551 return foo; 1552} 1553 1554/* 1555 * We just verify the signature on the credentials. 1556 * On signature failure, just drop the whole payload. 1557 */ 1558int 1559keynote_cert_validate (void *scert) 1560{ 1561 char **foo; 1562 int num, i; 1563 1564 if (scert == NULL) 1565 return 0; 1566 1567 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), 1568 &num)); 1569 if (foo == NULL) 1570 return 0; 1571 1572 for (i = 0; i < num; i++) 1573 { 1574 if (LK (kn_verify_assertion, (scert, strlen ((char *) scert))) != 1575 SIGRESULT_TRUE) 1576 { 1577 for (; i < num; i++) 1578 free (foo[i]); 1579 free (foo); 1580 return 0; 1581 } 1582 1583 free (foo[i]); 1584 } 1585 1586 free (foo); 1587 return 1; 1588} 1589 1590/* Add received credentials */ 1591int 1592keynote_cert_insert (int sid, void *scert) 1593{ 1594 char **foo; 1595 int num; 1596 1597 if (scert == NULL) 1598 return 0; 1599 1600 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), 1601 &num)); 1602 if (foo == NULL) 1603 return 0; 1604 1605 while (num--) 1606 LK (kn_add_assertion, (sid, foo[num], strlen (foo[num]), 0)); 1607 1608 return 1; 1609} 1610 1611/* Just regular memory free */ 1612void 1613keynote_cert_free (void *cert) 1614{ 1615 free (cert); 1616} 1617 1618/* Verify that the key given to us is valid */ 1619int 1620keynote_certreq_validate (u_int8_t *data, u_int32_t len) 1621{ 1622 struct keynote_deckey dc; 1623 int err = 1; 1624 char *dat; 1625 1626 dat = calloc (len + 1, sizeof(char)); 1627 if (dat == NULL) 1628 return 0; 1629 1630 memcpy (dat, data, len); 1631 1632 if (LK (kn_decode_key, (&dc, dat, KEYNOTE_PUBLIC_KEY)) != 0) 1633 err = 0; 1634 else 1635 LK (kn_free_key, (&dc)); 1636 1637 free (dat); 1638 1639 return err; 1640} 1641 1642/* Beats me what we should be doing with this */ 1643void * 1644keynote_certreq_decode (u_int8_t *data, u_int32_t len) 1645{ 1646 /* XXX */ 1647 return NULL; 1648} 1649 1650void 1651keynote_free_aca (void *blob) 1652{ 1653 /* XXX */ 1654} 1655 1656int 1657keynote_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, 1658 u_int32_t *certlen) 1659{ 1660 char *dirname, *file; 1661 struct stat sb; 1662 int idtype, fd, len; 1663 1664 if (!id) 1665 { 1666 log_print ("keynote_cert_obtain: ID is missing"); 1667 return 0; 1668 } 1669 1670 /* Get type of ID */ 1671 idtype = id[0]; 1672 id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 1673 id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; 1674 1675 dirname = conf_get_str ("KeyNote", "Credential-directory"); 1676 if (!dirname) 1677 { 1678 log_print ("keynote_cert_obtain: no Credential-directory"); 1679 return 0; 1680 } 1681 1682 len = strlen (dirname) + strlen (CREDENTIAL_FILE) + 3; 1683 1684 switch (idtype) 1685 { 1686 case IPSEC_ID_IPV4_ADDR: 1687 { 1688 struct in_addr in; 1689 1690 file = calloc (len + 15, sizeof(char)); 1691 if (file == NULL) 1692 { 1693 log_print ("keynote_cert_obtain: failed to allocate %d bytes", 1694 len + 15); 1695 return 0; 1696 } 1697 1698 memcpy (&in, id, sizeof(in)); 1699 sprintf (file, "%s/%s/%s", dirname, inet_ntoa (in), CREDENTIAL_FILE); 1700 break; 1701 } 1702 1703 case IPSEC_ID_FQDN: 1704 case IPSEC_ID_USER_FQDN: 1705 { 1706 file = calloc (len + id_len, sizeof(char)); 1707 if (file == NULL) 1708 { 1709 log_print ("keynote_cert_obtain: failed to allocate %d bytes", 1710 len + id_len); 1711 return 0; 1712 } 1713 1714 sprintf (file, "%s/", dirname); 1715 memcpy (file + strlen (file), id, id_len); 1716 sprintf (file + strlen (dirname) + 1 + id_len, "/%s", CREDENTIAL_FILE); 1717 break; 1718 } 1719 1720 default: 1721 return 0; 1722 } 1723 1724 if (stat (file, &sb) < 0) 1725 { 1726 log_print ("keynote_cert_obtain: failed to stat \"%s\"", file); 1727 free (file); 1728 return 0; 1729 } 1730 1731 *cert = calloc (sb.st_size, sizeof(char)); 1732 if (*cert == NULL) 1733 { 1734 log_print ("keynote_cert_obtain: failed to allocate %d bytes", 1735 sb.st_size); 1736 free (file); 1737 return 0; 1738 } 1739 1740 fd = open (file, O_RDONLY, 0); 1741 if (fd < 0) 1742 { 1743 log_print ("keynote_cert_obtain: failed to open \"%s\"", file); 1744 free (file); 1745 return 0; 1746 } 1747 1748 if (read (fd, *cert, sb.st_size) != sb.st_size) 1749 { 1750 log_print ("keynote_cert_obtain: failed to read %d bytes from \"%s\"", 1751 sb.st_size, file); 1752 free (file); 1753 close (fd); 1754 return 0; 1755 } 1756 1757 close (fd); 1758 free (file); 1759 *certlen = sb.st_size; 1760 return 1; 1761} 1762 1763/* This should never be called */ 1764int 1765keynote_cert_get_subjects (void *scert, int *n, u_int8_t ***id, 1766 u_int32_t **id_len) 1767{ 1768 return 0; 1769} 1770 1771/* Get the Authorizer key */ 1772int 1773keynote_cert_get_key (void *scert, void *keyp) 1774{ 1775 struct keynote_keylist *kl; 1776 int sid, num; 1777 char **foo; 1778 1779 foo = LK (kn_read_asserts, ((char *) scert, strlen ((char *) scert), &num)); 1780 if ((foo == NULL) || (num == 0)) 1781 return 0; 1782 1783 sid = LK (kn_add_assertion, (keynote_sessid, foo[num - 1], 1784 strlen (scert), 0)); 1785 while (num--) 1786 free (foo[num]); 1787 free (foo); 1788 1789 if (sid == -1) 1790 return 0; 1791 1792 *(RSA **)keyp = NULL; 1793 1794 kl = LK (kn_get_licensees, (keynote_sessid, sid)); 1795 while (kl) 1796 { 1797 if (kl->key_alg == KEYNOTE_ALGORITHM_RSA) 1798 { 1799 *(RSA **)keyp = LC (RSAPublicKey_dup, (kl->key_key)); 1800 break; 1801 } 1802 1803 kl = kl->key_next; 1804 } 1805 1806 LK (kn_remove_assertion, (keynote_sessid, sid)); 1807 return *(RSA **)keyp == NULL ? 0 : 1; 1808} 1809